Certik and Kraken in Bug Bounty Dispute

Reading Time: 2 minutes
  • Kraken has claimed that a white hat hacker who exploited a bug leading to a $3 million loss has turned to extortion
  • The exchange claims the hacker has provided conditions before returning the funds
  • Blockchain security firm CertiK has revealed itself as the mysterious “white hat hacker”

Crypto exchange Kraken isn’t happy with a security researcher or white hat hacker who discovered a critical code fault in its system and exploited the weakness to cause a $3 million loss. The hacker had reported the bug to the exchange earlier but allegedly exploited it before it was fixed. Kraken claims that the hacker is demanding an undisclosed amount as a bounty before returning the funds, something that the exchange has equated to extortion and “not white hat hacking,” raising questions on whether the two will reach an agreement.

An Extremely Critical Bug

According to Kraken’s CSO Nicholas Percoco, the white hat hacker or security researcher who happens to be blockchain security firm CertiK, reported a bug in the exchange’s systems on June 9. CertiK marked the bug as “extremely critical” because it allowed for the artificial inflation of a user’s balance.

Kraken fixed the weakness but discovered that three accounts had exploited the bug and withdrew $3 million from the exchange’s treasuries. The security researcher allegedly refused to return the funds despite Kraken being ready to reward them for identifying a security flaw.

Kraken Turns to Threats?

CertiK has come forth to clarify that it’s the mysterious “security researcher” and that it didn’t refuse to refund the amount. According to the blockchain security firm, Kraken opted to threaten its team members and demanded the return of funds without “providing repayment addresses.”

CertiK added that Kraken’s systems have major flaws on different fronts. The security firm said, for example, that the exchange didn’t automatically detect the withdrawal of funds despite the “exploitation” taking several days.

Although Kraken and CertiK are trading accusations, they’ll likely come to an amicable conclusion considering the blockchain security firm is a reputable firm.